Apple to Address '0.0.0.0' Security Vulnerability in Safari 18

by

Apple plans to block websites from attempting to send malicious requests to the IP address 0.0.0.0 on macOS Sequoia, according to Forbes. The means the change will be part of Safari 18, which will also be available for macOS Sonoma and macOS Ventura.

safari icon blue banner
This decision comes after researchers from Israeli cybersecurity startup Oligo Security said they discovered a zero-day security vulnerability that allows a malicious actor to access private data on a user's internal private network. The researchers will present their findings this weekend at the DEF CON hacking conference in Las Vegas.

"Exploiting 0.0.0.0-day can let the attacker access the internal private network of the victim, opening a wide range of attack vectors," said Avi Lumelsky, a researcher at Oligo Security.

The researchers responsibly disclosed the vulnerability to Apple, Google, and Mozilla. More details are available on the AppSec Village website.

macOS Sequoia and Safari 18 are currently in beta and will be widely released later this year.

Tag: Safari
Related Forum: macOS Sequoia

Popular Stories

ios 26 1 slide to stop

iOS 26.1 Brings Back 2007 Feature in New Way

Friday October 31, 2025 1:40 pm PDT by
The upcoming iOS 26.1 update includes a small but helpful change for iPhones, and it could prevent you from running late to something important. Specifically, when an alarm goes off in the Clock app, there is a new "slide to stop" control on the screen for turning off the alarm. On previous iOS 26 versions, there is simply a large "stop" button, which could be accidentally tapped. The new ...
Read Full Article58 comments
M5 MacBook Pro

Waiting for New Macs? Apple Just Shared Bad News

Friday October 31, 2025 7:32 am PDT by
Apple has just given a strong indication that it will not be releasing any additional new Macs for the remainder of the year. Apple's CFO Kevan Parekh dropped the hint during the company's earnings call on Thursday:On Mac, keep in mind, we expect to face a very difficult compare against the M4 MacBook Pro, Mac mini, and iMac launches in the year-ago quarter.Parekh essentially gave a heads up ...
Read Full Article98 comments
iPhone 17 Pro Cosmic Orange

8 Reasons to Wait for Next Year's iPhone 18 Pro

Thursday October 30, 2025 4:42 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article120 comments
iOS 26

6 New Things Your iPhone Can Do in iOS 26.1

Wednesday October 29, 2025 4:22 am PDT by
Apple is about to drop iOS 26.1, the first major point release since iOS 26 was rolled out in September, and there are at least six notable changes and improvements to look forward to. We've rounded them up below. Apple has already provided developers and public beta testers with the release candidate version of iOS 26.1, which means Apple will likely roll out the update to all compatible...
Read Full Article62 comments
Apple Foldable Thumb

iPhone Fold: Launch, Pricing, and What to Expect From Apple's Foldable

Friday October 31, 2025 8:52 am PDT by
Apple is expected to launch a new foldable iPhone next year, based on multiple rumors and credible sources. The long-awaited device has been rumored for years now, but signs increasingly suggest that 2026 could indeed be the year that Apple releases its first foldable device. Below, we've collated an updated set of key details that have been leaked about Apple's foldable iPhone so far. Ove...
Read Full Article81 comments
Coffee Burgundy and Purple iPhone 18 Pro Mock 1

Leaker Outlines Potential New Colors for iPhone 18 Pro

Friday October 31, 2025 8:28 am PDT by
Apple's iPhone 18 Pro models could be available in new rich and warm color option, according to a known leaker. The Weibo user known as "Instant Digital" today suggested that next-year's iPhone 18 Pro models will be available in at least one of the following color options: Coffee, purple, and burgundy. The iPhone XR, iPhone 11, iPhone 12, iPhone 14, and iPhone 14 Pro were all available in ...
Read Full Article133 comments
apple tv hd

Apple Launched Its Big New Vision for TV 10 Years Ago Today

Thursday October 30, 2025 8:58 am PDT by
Apple launched the Apple TV HD, the Siri Remote, tvOS, and their accompanying App Store a decade ago today, marking a major overhaul of the device. The new vision for the Apple TV was unveiled on September 9, 2015 during Apple's "Hey Siri" event in San Francisco, where CEO Tim Cook introduced the device with the statement, "The future of TV is apps." The announcement represented a major...
Read Full Article88 comments
iOS 26

Apple This November: iOS 26.2 Beta, Rumored New Products, and More

Thursday October 30, 2025 12:42 pm PDT by
Tomorrow is Halloween, and then November is upon us. Below, we outline what to expect from Apple next month, as the slower holiday season approaches. Apple is expected to kick off November by releasing iOS 26.1, iPadOS 26.1, macOS 26.1, watchOS 26.1, tvOS 26.1, and visionOS 26.1. With beta testing now wrapped up, the updates will likely be released this Monday, November 3 or Tuesday,...
Read Full Article18 comments
iOS 26

iOS 26.1 Coming Soon: New Features for Your iPhone and Release Date

Monday October 27, 2025 7:55 am PDT by
The upcoming iOS 26.1 update includes a handful of new features and changes for iPhones, including a toggle for changing the appearance of the Liquid Glass design, "slide to stop" for alarms in the Clock app, and more. Below, we outline key details about iOS 26.1. Release Date Given that Apple has yet to seed an iOS 26.1 Release Candidate, which is typically the final beta version, the...
Read Full Article
maxresdefault

Apple TV 4K Could Still Launch Before 2025 Ends: All the Rumored Features

Monday October 27, 2025 4:51 pm PDT by
Apple is designing an updated version of the Apple TV 4K, and rumors suggest that it could come out sometime in the next couple of months. We're not expecting a major overhaul with design changes, but even a simple chip upgrade will bring major improvements to Apple's set-top box. Subscribe to the MacRumors YouTube channel for more videos. We've rounded up all the latest Apple TV rumors. ...
Read Full Article162 comments

Top Rated Comments

goonie4life9 Avatar
goonie4life9
16 months ago
Not to worry, everyone, because Apple Support has the fix at the ready for this issue that they have never heard about, so it can’t be affecting customers:

1. Restart your device
2. Force restart your device
3. Reset network settings
4. Erase and reinstall, setting-up as new
5. RTA to Engineering
6. Engineering will request logs, with Mail logging enabled just to be safe
7. Within 48 hr, Engineering will let you know that this is a known issue, to keep your device up to date, and no further troubleshooting will be provided
Score: 20 Votes (Like | Disagree)
shamino Avatar
shamino
16 months ago
I wonder what the deal really is. The 0.0.0.0 address should be rejected by the OS's network stack. According to RF 1122 (from 1989), section 3213, the all-zeros address (that is, network zero, host zero) means "this host on this network" and goes on to say that it should not be used, except for specific circumstances:


(a) { 0, 0 }
This host on this network. MUST NOT be sent, except as
a source address as part of an initialization procedure
by which the host learns its own IP address.

See also Section 3.3.6 ('https://datatracker.ietf.org/doc/html/rfc1122#section-3.3.6') for a non-standard use of {0,0}.
Section 3.3.6 discusses broadcast addresses and states that a non-standard implementation (specifically citing BSD 4.2, but not 4.3) might use zero instead of -1 for the network/subnet/host fields of a broadcast packet and that hosts should accept incoming packets as such, making 0.0.0.0 equivalent to 255.255.255.255.

So the question remains: what does Apple need to fix? Any code trying to send a packet to/from address 0.0.0.0 should just get an error back from the network stack. And given the extreme age of systems that might use it as a broadcast address, the stack should probably reject packets from the network that use it as a destination unless the system is explicitly configured to allow them.

And if macOS's stack is not not discarding packets addressed to 0.0.0.0 and is not treating them identically to 255.255.255.255, well, then they've got a bug that should be fixed whether or not there's an exploit.
Score: 16 Votes (Like | Disagree)
Populus Avatar
Populus
16 months ago
If this vulnerability is as serious as it seems, in my humble opinion it should be adressed or, at least, mitigated, in the next security updates of Safari 17, and even on the upcoming security patch of iOS 16 and Monterey.
Score: 10 Votes (Like | Disagree)
Nugget Avatar
Nugget
16 months ago
I hope the remediation for this exploit doesn't impact DNS-based ad blockers like Pi-hole which currently use the 0.0.0.0 address as the mechanism for blocking traffic to blacklisted hostnames.

Also, "Reader mode" in Safari bypasses the subscription nag on the linked article.
Score: 5 Votes (Like | Disagree)
foobarbaz Avatar
foobarbaz
16 months ago
The description is vague, but I figure the following is going on:

Some app on the local machine is running a web server. This is either a developer running a dev build of a website locally or another software that uses HTTP internally (more than you think).

Normally such a server is never reachable from the outside. But Javascript on a website is not outside, it's running locally, so it can access these local web servers. And if they don't require authentication (e.g. maybe because the dev hasn't implemented it yet, or because security relies on it not being reachable from the outside), the Javascript can use the local web server to do nasty things, including accessing the users data.

But it's somewhat of an old hat. Some people claim it's "working as designed". Safari normally blocks such local requests, but Chrome didn't last time I checked. (It's a major reason I'm not using Chrome.) But I guess they figured out a way around Safari's block, which is what they probably reported to Apple.
Score: 4 Votes (Like | Disagree)
richie510 Avatar
richie510
16 months ago

I hope the remediation for this exploit doesn't impact DNS-based ad blockers like Pi-hole which currently use the 0.0.0.0 address as the mechanism for blocking traffic to blacklisted hostnames.

Also, "Reader mode" in Safari bypasses the subscription nag on the linked article.
I do not think this should affect pi-hole. pi-hole uses 0.0.0.0 as a null address that should be rejected by the OS. https://docs.pi-hole.net/ftldns/blockingmode/
Score: 4 Votes (Like | Disagree)
Read All Comments